Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 21:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe
-
Size
144KB
-
MD5
dd1b3e8ec44f2e81ff4550c18780f6d7
-
SHA1
bd44ceb91aa531a560194c11b34f692acf8d3dfa
-
SHA256
43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3
-
SHA512
2115f4eb2251b05396b755f9d02c48a593c4abf7ede36abfdc8747918e3b71887a9d1644af208e4cf3df7e26fb961f2874ba1b3485e33c81604cd0718d901272
-
SSDEEP
3072:2/Yb3yXFGKJqnoP6V9j53kremwc/gHq/Wp+YmKfxgQd:2/Q3UsoeZ53/fc/UmKyI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meadlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgkjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pahpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qejfkmem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jckeokan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahngmnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nifele32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfidgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdoqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onngci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npnqcpmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnefieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifckkhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcikfcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqpbboeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidamcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgdabflp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deidjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfngcdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcfcmnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njokei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlialb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfggbope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nijqcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hllkqdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jihngboe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkdohg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgjjoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfaijand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcibca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knifging.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojmgggdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkholi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdgal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehafq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkhhbbck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknjhokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llngbabj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekimjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcommoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djklgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkbeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmebpbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdokmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfcjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpqgbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmohmoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbifol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkegn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qajlje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfanlpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogdofo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodlof32.exe -
Executes dropped EXE 64 IoCs
pid Process 4196 Jmbhoeid.exe 2616 Kpanan32.exe 2084 Lcdciiec.exe 2116 Lgdidgjg.exe 2328 Lcnfohmi.exe 960 Nopfpgip.exe 416 Ocgbld32.exe 232 Ojajin32.exe 4640 Pjkmomfn.exe 1596 Qjiipk32.exe 1060 Amlogfel.exe 3748 Bdojjo32.exe 3628 Bpkdjofm.exe 1996 Cgnomg32.exe 1460 Dahmfpap.exe 4416 Eohmkb32.exe 4980 Eqncnj32.exe 1432 Fbmohmoh.exe 4600 Fkhpfbce.exe 1516 Finnef32.exe 2808 Gacepg32.exe 2060 Glhimp32.exe 2228 Hbenoi32.exe 5060 Hnlodjpa.exe 1892 Hicpgc32.exe 1704 Hbnaeh32.exe 3824 Ieojgc32.exe 3600 Iojkeh32.exe 2320 Ipihpkkd.exe 1648 Ibjqaf32.exe 4032 Jemfhacc.exe 2816 Kapfiqoj.exe 1292 Khiofk32.exe 2388 Klggli32.exe 4360 Lohqnd32.exe 2752 Lojmcdgl.exe 2636 Lhenai32.exe 4688 Lfiokmkc.exe 3956 Mjggal32.exe 3584 Mokfja32.exe 464 Momcpa32.exe 3812 Njedbjej.exe 1968 Nqoloc32.exe 2156 Nijqcf32.exe 1836 Nfqnbjfi.exe 4940 Objkmkjj.exe 2000 Oifppdpd.exe 4272 Oophlo32.exe 4460 Aimogakj.exe 4144 Adgmoigj.exe 1788 Aalmimfd.exe 2376 Baepolni.exe 3484 Bfaigclq.exe 1512 Cpljehpo.exe 3896 Calfpk32.exe 228 Cgklmacf.exe 4476 Dcibca32.exe 5036 Dajbaika.exe 3880 Dncpkjoc.exe 4188 Enemaimp.exe 3388 Ekimjn32.exe 3756 Eddnic32.exe 404 Fkcpql32.exe 3648 Hkcbnh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aijlgkjq.exe Abpcja32.exe File created C:\Windows\SysWOW64\Bfpolopd.dll Mphamg32.exe File created C:\Windows\SysWOW64\Ajjjjghg.exe Ahinbo32.exe File opened for modification C:\Windows\SysWOW64\Cjaiac32.exe Ciqmjkno.exe File created C:\Windows\SysWOW64\Djipbbne.exe Cjaiac32.exe File opened for modification C:\Windows\SysWOW64\Qpbgnecp.exe Qihoak32.exe File created C:\Windows\SysWOW64\Cnaoemei.dll Liifnp32.exe File created C:\Windows\SysWOW64\Mfkcibdl.exe Lcealh32.exe File opened for modification C:\Windows\SysWOW64\Bdnkhn32.exe Bndblcdq.exe File created C:\Windows\SysWOW64\Mgieqpje.dll Jgbhdkml.exe File opened for modification C:\Windows\SysWOW64\Bqkigp32.exe Ajaqjfbp.exe File created C:\Windows\SysWOW64\Llngbabj.exe Lbebilli.exe File created C:\Windows\SysWOW64\Mhdpjm32.dll Jmgmhgig.exe File created C:\Windows\SysWOW64\Afhgoj32.dll Agobna32.exe File opened for modification C:\Windows\SysWOW64\Hhehkepj.exe Hfgloiqf.exe File created C:\Windows\SysWOW64\Cnaphbnj.dll Nfdfoala.exe File created C:\Windows\SysWOW64\Mbiapehp.dll Hakidd32.exe File created C:\Windows\SysWOW64\Lfcfnm32.exe Lcdjba32.exe File created C:\Windows\SysWOW64\Lfcpgb32.dll 43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe File opened for modification C:\Windows\SysWOW64\Obkiqi32.exe Olqqdo32.exe File opened for modification C:\Windows\SysWOW64\Pbifol32.exe Pgcbbc32.exe File created C:\Windows\SysWOW64\Jemfhacc.exe Ibjqaf32.exe File created C:\Windows\SysWOW64\Kjiqkhgo.dll Iojkeh32.exe File created C:\Windows\SysWOW64\Dmehgibj.dll Iholohii.exe File created C:\Windows\SysWOW64\Nkpijfgf.exe Ndfanlpi.exe File opened for modification C:\Windows\SysWOW64\Niglfl32.exe Ndjcne32.exe File created C:\Windows\SysWOW64\Njmopj32.exe Nbefolao.exe File created C:\Windows\SysWOW64\Eanmnefk.dll Lcdciiec.exe File created C:\Windows\SysWOW64\Bdbbme32.dll Bfaigclq.exe File created C:\Windows\SysWOW64\Bcqbmqdi.dll Pnhacn32.exe File created C:\Windows\SysWOW64\Hljnkdnk.exe Hjieii32.exe File opened for modification C:\Windows\SysWOW64\Jfjakgpa.exe Jckeokan.exe File created C:\Windows\SysWOW64\Bgjjoi32.exe Bqpbboeg.exe File created C:\Windows\SysWOW64\Pjfffd32.dll Lcpqgbkj.exe File created C:\Windows\SysWOW64\Lmheph32.exe Ljjicl32.exe File created C:\Windows\SysWOW64\Eohmkb32.exe Dahmfpap.exe File created C:\Windows\SysWOW64\Bdicce32.dll Ahgamo32.exe File created C:\Windows\SysWOW64\Clbcll32.dll Djipbbne.exe File opened for modification C:\Windows\SysWOW64\Mdokmm32.exe Mmebpbod.exe File created C:\Windows\SysWOW64\Gcngafol.exe Ecidpiad.exe File created C:\Windows\SysWOW64\Piffmfnj.dll Pgoigcip.exe File created C:\Windows\SysWOW64\Aocmio32.exe Agmehamp.exe File created C:\Windows\SysWOW64\Dfebnlgm.dll Hhehkepj.exe File opened for modification C:\Windows\SysWOW64\Jgbhdkml.exe Jmmcgbnf.exe File created C:\Windows\SysWOW64\Geloma32.dll Qlomemlj.exe File opened for modification C:\Windows\SysWOW64\Fbmohmoh.exe Eqncnj32.exe File opened for modification C:\Windows\SysWOW64\Pcfmneaa.exe Pbgqdb32.exe File opened for modification C:\Windows\SysWOW64\Ndfanlpi.exe Nmlhaa32.exe File created C:\Windows\SysWOW64\Apqddgbj.dll Naokbokn.exe File created C:\Windows\SysWOW64\Jikjmbmb.exe Jginej32.exe File created C:\Windows\SysWOW64\Qkamof32.dll Kimgba32.exe File created C:\Windows\SysWOW64\Lckglc32.exe Kkdoje32.exe File created C:\Windows\SysWOW64\Ghpblhco.dll Pidamcgd.exe File created C:\Windows\SysWOW64\Pboglh32.dll Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Ekimjn32.exe Enemaimp.exe File created C:\Windows\SysWOW64\Mehafq32.exe Loniiflo.exe File opened for modification C:\Windows\SysWOW64\Kkdoje32.exe Kfggbope.exe File created C:\Windows\SysWOW64\Bdojjo32.exe Amlogfel.exe File opened for modification C:\Windows\SysWOW64\Mlbllc32.exe Lmmokgne.exe File created C:\Windows\SysWOW64\Khcgfo32.exe Kebodc32.exe File created C:\Windows\SysWOW64\Mnfooh32.dll Lknjhokg.exe File opened for modification C:\Windows\SysWOW64\Abdoqd32.exe Ajmgof32.exe File created C:\Windows\SysWOW64\Eqnmad32.dll Kmobii32.exe File opened for modification C:\Windows\SysWOW64\Oophlo32.exe Oifppdpd.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 7880 1996 WerFault.exe 752 7584 1996 WerFault.exe 752 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcoioabf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhhldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kohcfcqo.dll" Pnjgog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkdoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keebjojo.dll" Dpglmjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogoacbd.dll" Lmmokgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndfanlpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polnbakm.dll" Ajjjjghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hakidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mimbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjjaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpdcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oljkcpnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olqqdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdchhk32.dll" Ijkdkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgahofh.dll" Njfafhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhljen32.dll" Kdmeqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipffc32.dll" Fhllni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgnka32.dll" Ioafchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojmgggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opedqiad.dll" Jfoaam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odhppclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlhomk32.dll" Kkdoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcblbn32.dll" Igjlibib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmoiki32.dll" Jcfejfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjlgn32.dll" Iqpclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhicoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afkipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgjaf32.dll" Akogio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjqgfmbl.dll" Nibbklke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knemellp.dll" Paaidf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhennm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhejgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibmbgdm.dll" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll" Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll" Lknjhokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmeiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nocbfjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hljnkdnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqbfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbccec32.dll" Bndblcdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciqmjkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfnab32.dll" Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdbil32.dll" Mfhpilbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlgegcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bichcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfaph32.dll" Nfaijand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkdbl32.dll" Omgabj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oifppdpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Calfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkholi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgjglg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndejcemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogmiepcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqkigp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 4196 4400 43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe 91 PID 4400 wrote to memory of 4196 4400 43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe 91 PID 4400 wrote to memory of 4196 4400 43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe 91 PID 4196 wrote to memory of 2616 4196 Jmbhoeid.exe 92 PID 4196 wrote to memory of 2616 4196 Jmbhoeid.exe 92 PID 4196 wrote to memory of 2616 4196 Jmbhoeid.exe 92 PID 2616 wrote to memory of 2084 2616 Kpanan32.exe 93 PID 2616 wrote to memory of 2084 2616 Kpanan32.exe 93 PID 2616 wrote to memory of 2084 2616 Kpanan32.exe 93 PID 2084 wrote to memory of 2116 2084 Lcdciiec.exe 94 PID 2084 wrote to memory of 2116 2084 Lcdciiec.exe 94 PID 2084 wrote to memory of 2116 2084 Lcdciiec.exe 94 PID 2116 wrote to memory of 2328 2116 Lgdidgjg.exe 95 PID 2116 wrote to memory of 2328 2116 Lgdidgjg.exe 95 PID 2116 wrote to memory of 2328 2116 Lgdidgjg.exe 95 PID 2328 wrote to memory of 960 2328 Lcnfohmi.exe 96 PID 2328 wrote to memory of 960 2328 Lcnfohmi.exe 96 PID 2328 wrote to memory of 960 2328 Lcnfohmi.exe 96 PID 960 wrote to memory of 416 960 Nopfpgip.exe 97 PID 960 wrote to memory of 416 960 Nopfpgip.exe 97 PID 960 wrote to memory of 416 960 Nopfpgip.exe 97 PID 416 wrote to memory of 232 416 Ocgbld32.exe 98 PID 416 wrote to memory of 232 416 Ocgbld32.exe 98 PID 416 wrote to memory of 232 416 Ocgbld32.exe 98 PID 232 wrote to memory of 4640 232 Ojajin32.exe 99 PID 232 wrote to memory of 4640 232 Ojajin32.exe 99 PID 232 wrote to memory of 4640 232 Ojajin32.exe 99 PID 4640 wrote to memory of 1596 4640 Pjkmomfn.exe 100 PID 4640 wrote to memory of 1596 4640 Pjkmomfn.exe 100 PID 4640 wrote to memory of 1596 4640 Pjkmomfn.exe 100 PID 1596 wrote to memory of 1060 1596 Qjiipk32.exe 101 PID 1596 wrote to memory of 1060 1596 Qjiipk32.exe 101 PID 1596 wrote to memory of 1060 1596 Qjiipk32.exe 101 PID 1060 wrote to memory of 3748 1060 Amlogfel.exe 102 PID 1060 wrote to memory of 3748 1060 Amlogfel.exe 102 PID 1060 wrote to memory of 3748 1060 Amlogfel.exe 102 PID 3748 wrote to memory of 3628 3748 Bdojjo32.exe 103 PID 3748 wrote to memory of 3628 3748 Bdojjo32.exe 103 PID 3748 wrote to memory of 3628 3748 Bdojjo32.exe 103 PID 3628 wrote to memory of 1996 3628 Bpkdjofm.exe 104 PID 3628 wrote to memory of 1996 3628 Bpkdjofm.exe 104 PID 3628 wrote to memory of 1996 3628 Bpkdjofm.exe 104 PID 1996 wrote to memory of 1460 1996 Cgnomg32.exe 105 PID 1996 wrote to memory of 1460 1996 Cgnomg32.exe 105 PID 1996 wrote to memory of 1460 1996 Cgnomg32.exe 105 PID 1460 wrote to memory of 4416 1460 Dahmfpap.exe 106 PID 1460 wrote to memory of 4416 1460 Dahmfpap.exe 106 PID 1460 wrote to memory of 4416 1460 Dahmfpap.exe 106 PID 4416 wrote to memory of 4980 4416 Eohmkb32.exe 107 PID 4416 wrote to memory of 4980 4416 Eohmkb32.exe 107 PID 4416 wrote to memory of 4980 4416 Eohmkb32.exe 107 PID 4980 wrote to memory of 1432 4980 Eqncnj32.exe 108 PID 4980 wrote to memory of 1432 4980 Eqncnj32.exe 108 PID 4980 wrote to memory of 1432 4980 Eqncnj32.exe 108 PID 1432 wrote to memory of 4600 1432 Fbmohmoh.exe 109 PID 1432 wrote to memory of 4600 1432 Fbmohmoh.exe 109 PID 1432 wrote to memory of 4600 1432 Fbmohmoh.exe 109 PID 4600 wrote to memory of 1516 4600 Fkhpfbce.exe 110 PID 4600 wrote to memory of 1516 4600 Fkhpfbce.exe 110 PID 4600 wrote to memory of 1516 4600 Fkhpfbce.exe 110 PID 1516 wrote to memory of 2808 1516 Finnef32.exe 111 PID 1516 wrote to memory of 2808 1516 Finnef32.exe 111 PID 1516 wrote to memory of 2808 1516 Finnef32.exe 111 PID 2808 wrote to memory of 2060 2808 Gacepg32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe"C:\Users\Admin\AppData\Local\Temp\43fcf215efe78f497a989f7cb7d9381f9e5659922be1f17210542500ee2770a3.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe23⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Hbenoi32.exeC:\Windows\system32\Hbenoi32.exe24⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe25⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe26⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Hbnaeh32.exeC:\Windows\system32\Hbnaeh32.exe27⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ieojgc32.exeC:\Windows\system32\Ieojgc32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3600 -
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe32⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe33⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe34⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe35⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Lohqnd32.exeC:\Windows\system32\Lohqnd32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Lojmcdgl.exeC:\Windows\system32\Lojmcdgl.exe37⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe38⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe39⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe40⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe41⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe42⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe43⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe44⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe46⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe47⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe50⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe51⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe52⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Baepolni.exeC:\Windows\system32\Baepolni.exe53⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe55⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe57⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe59⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe60⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Enemaimp.exeC:\Windows\system32\Enemaimp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4188 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe63⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe64⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Hkcbnh32.exeC:\Windows\system32\Hkcbnh32.exe65⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Iapjgo32.exeC:\Windows\system32\Iapjgo32.exe66⤵PID:3740
-
C:\Windows\SysWOW64\Ilfodgeg.exeC:\Windows\system32\Ilfodgeg.exe67⤵PID:3400
-
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe68⤵PID:4264
-
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe69⤵PID:1044
-
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe70⤵PID:1032
-
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe71⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe72⤵PID:4792
-
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe73⤵PID:180
-
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe74⤵PID:3320
-
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe75⤵PID:3048
-
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe76⤵PID:4664
-
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe77⤵PID:2316
-
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe78⤵PID:2012
-
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe79⤵PID:3528
-
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe80⤵PID:4304
-
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe82⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4756 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe84⤵PID:5136
-
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe85⤵PID:5180
-
C:\Windows\SysWOW64\Mkgmoncl.exeC:\Windows\system32\Mkgmoncl.exe86⤵PID:5264
-
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe87⤵PID:5308
-
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe88⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe89⤵PID:5400
-
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe90⤵PID:5444
-
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe91⤵PID:5492
-
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe93⤵
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe94⤵PID:5700
-
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5744 -
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5796 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe97⤵PID:5840
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe98⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe99⤵PID:5944
-
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe100⤵
- Drops file in System32 directory
PID:5988 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe101⤵PID:6032
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe102⤵PID:6076
-
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe103⤵PID:6120
-
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe104⤵PID:5144
-
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe105⤵PID:5148
-
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe107⤵PID:4512
-
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe108⤵PID:5440
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe109⤵PID:5544
-
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe110⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe111⤵PID:5724
-
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe112⤵
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe113⤵
- Modifies registry class
PID:5864 -
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe114⤵PID:5916
-
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe115⤵PID:6024
-
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe116⤵PID:6020
-
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4468 -
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe118⤵PID:5216
-
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe119⤵PID:5160
-
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe120⤵PID:5384
-
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe121⤵
- Modifies registry class
PID:5512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-